External Identity Providers
As OpenStack gains enterprise traction, the need to allow non-Keystone identities to log-in to Horizon or execute APIs becomes more relevant. Consider the following use-cases:
Acme has their own cloud setup running Keystone against their back-end Active Directory. They would like to automatically burst VM provisioning and/or utilization to a public cloud service provider according to capacity and usage rules.
They would like to enable identity federation so there is only one credential set needed between the 2 clouds.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Medium
- Drafter:
- Joe Savak
- Direction:
- Needs approval
- Assignee:
- Marek Denis
- Definition:
- Pending Approval
- Series goal:
- Accepted for icehouse
- Implementation:
- Implemented
- Milestone target:
- 2014.1
- Started by
- Dolph Mathews
- Completed by
- Dolph Mathews
Related branches
Related bugs
Sprints
Whiteboard
blueprint saml-id (https:/
Gerrit topic: https:/
Specified by: https:/
Add IdP management extension (Federation pt1)
Addressed by: https:/
Virtual Identity Providers CRUD operations.
Addressed by: https:/
Virtual Identity Providers CRUD operations.
Gerrit topic: https:/
Gerrit topic: https:/
Addressed by: https:/
Fix federation documentation reference
Addressed by: https:/
Remove autoincrement from String column.
Addressed by: https:/
Fix docstrings in federation controller.
Addressed by: https:/
Don't set default for a nullable column
Addressed by: https:/
Use self or cls for local references
Addressed by: https:/
Refactor mutable parameter handling
Addressed by: https:/
Refactor federation controller class hierarchy
Addressed by: https:/
Remove unnecessary test methods
Addressed by: https:/
Federation IdentityProvider filter fields on update response
Work Items
Work items:
Suggested workflow sent to mailing list: TODO
Feedback incorporated: TODO
Trusted Service Provider/Identity Provider v3 contract suggestions: TODO
Feedback incorporated: TODO
SAML request/response to bearer token: TODO
Validate token changes: TODO
Revoke token changes: TODO
Service catalog (likely new blueprint): TODO
Dependency tree
* Blueprints in grey have been implemented.